With jokes it is often said that the old ones and the obvious ones are the best. How else can you account for the popularity of slapstick and other physical humour and the 'You've Been Framed' style of TV programme?

According to a number of recent surveys and recent worms, it seems the same is true of computer users' passwords. In other words, the joke is on us, the computer user community!

Have you heard?

Have you heard the one about the user who ...

Wrote their password on a Post-it note and stuck it on their screen or 'hid' it under their keyboard?

Used their phone number, car number plate, names of family members, pets or their own name?

Used 'Password', 'Secret', 'qwerty', '12345' or their user ID as their password?

Used the same password repeatedly or re-used a small number of easy-to-remember words/names?

Used a repeating character, such as space or z or an x six times?

If you haven't, then you have not been involved in computer security for long enough, or worked in a support department – or you are from another planet or universe entirely!Welcome to the 'real' world.

Trust me, I'm a security specialist

This article will lance the festering boil of computer security; passwords. Just like an embarrassing itch that you don't or won't tell the doctor about, users refuse to seek help or take the medicine that's good for them when it comes to the key to their computer's front door – the humble, but oh-so-important password.

I will also cover some of the recent pieces of malware that have password lists and cracking tools as part of their payload to allow propagation on internal (and external) networks.

The main problem, as demonstrated by Nebiwo (aka Deborm), Mumu (aka SpyBot), Deloder and Lovgate, is that of weak, easily guessable passwords – or even worse, no password at all – on user accounts and Windows shares. Finally, I shall gaze into my crystal ball and try to predict what may be inflicted on us with next from the 'fevered pits' of the malware authors' minds.

Down the Wormhole

'You take the red pill and you stay in wonderland and I show you how deep the Wormhole goes ...' (borrowed and adapted from The Matrix). First, let us investigate in brief just some of the worms that like to carry passwords around with them to use against those who rely on weak or non-existent passwords.

Mumu (aka Bat.SpyBot)

This is a collection of 17 components (including batch files) which spreads via SMB (port 139/tcp) and attempts to gain access to remote systems via the nine passwords held within its code.

The interesting aspect of this piece (or should that be collection?) of malware is that, like several other new-ish malware threats, it uses security tools that are more commonly employed by network administrators or other IT support staff. Is this yet another trend? I certainly believe that it is – at the time of writing this article another new variant has been found in the wild.

Nebiwo (aka Deborm)

This piece of malware is not really a password-carrying threat, but it steals credentials from the user logged in on the infected system, and uses them, as well as the following accounts with blank passwords:

Administrator

Guest

Owner

It attempts to use C and C$ shares. This worm has spread quite widely and, like Opaserv, I regularly catch quite a number of infected samples on my SMB-Lure, so it seems to be quite well established in the Internet user community.

Opaserv

On the subject of that large family of worm variants, Frédéric Perriot's analysis of this worm (see VB, December 2002, p.6) describes the fact that it carries a distributed DES cracker as part of its body. Could this be a model that other malware authors will follow?

I am still catching thousands of samples of Opaserv variants each month. Over 60,000 samples in total have been captured between October 2002 and the end of May 2003. In the last week alone my SMB-Lure caught four brand new variants of this family, as well as several new malware variants from other families.

Lovgate.K

Lovgate is another well-established family of malware variants (see VB, April 2003, p.9 and this issue p.8). Lovgate.K carries a backdoor and mails itself out as well as spreading via SMB, as did other variants of its family.

The .K variant carries a list of 83 passwords in its body for use in a dictionary-style attack on remote hosts found via SMB scanning. However, unlike several other password-carrying malicious programs it, allegedly, uses only the Administrator account.

The problem here is that many default installations of Windows 2000 and XP don't allow you to set/reset the administrator password until after the operating system has been installed.

If, like many companies, you use a static build snapshot, then you may be facing a different problem. Why? Well, unless you have set a 'strong' password on the original system you imaged, you may well have given away the keys to your kingdom!

Furthermore, if you have the same default administrator password on all systems, then you will have a major problem when a brute force attack is successful on just one of your systems – effectively, the others are also owned by the malware. Game, set and match to the malware author.

Deloder

Another interesting example of password-carrying malware is W32/Deloder (see VB, May 2003, p.5 and http://vil.nai.com/vil/content/v_100127.htm).

Like a growing number of other pieces of malware, Deloder carries other non-malicious programs or components to enable it to spread and/or function. In Deloder's case the components are from VNC (see http://www.uk.research.att.com/vnc/), Cygwin (see http://www.cygwin.com/) and the well-known PSEXEC tool from SysInternals (see http://www.sysinternals.com). Another variant uses a different remote access tool from that used in the original (VNC). Both of the major variants drop backdoors (Backdoor-ARG) and an IRC bot (IRC-Pitchfork).

Interestingly, Deloder probes not only for C$ and IPC$, but also for ADMIN$, D$, E$ and F$ shares. Basically, the worm looks for the default admin shares that exist normally on the vast majority of Windows 2000 and XP systems – that is, unless your IT department has removed or disabled them.

Deloder carries a list of 86 passwords (the number of passwords varies from one vendor's description to another). As it uses port 445 (Microsoft-ds) to spread, it will only function on Windows 2000 and XP.

As a final and somewhat ironic side note on Deloder, this worm was found happily spreading on the many wireless networks that were set up for the Infosecurity Europe 2003 show in London in April 2003. It turned out that many of these networks had no security enabled at all, and this was an event about security!

Ex-terminate! Ex-terminate!

What's more worrying about this trend is that a number of these worms now carry backdoors, key loggers and Trojans to disable many AV, personal firewall, IDS and related programs.

What is even more worrying is that some security tools still don't seem to have addressed this problem, and allow themselves to be terminated in this manner.

Surveys

The following are some of the results from a number of recent polls and research projects on computer security.

These demonstrate that it is the human element that poses the biggest risk to computer security: no matter how strong your security, it is only as strong as its weakest link – the human behind the keyboard.

NTA 2002

The 2002 NTA Monitor Password Survey (see http://www.nta-monitor.com/fact-sheets/pwd-main.htm) found that 84 per cent of computer users consider memorability to be the most important attribute in selecting a password, and that 81 per cent of users select a common password where possible.

Meanwhile, 25 percent of employees would consider a word as simple as 'Banana' to be a safe and acceptable password – even though it would take a hacker seconds to break into a corporate network using it.

Infosecurity 2003 Europe

Here's an interesting quote from another recent survey (source: http://www.securityvoice.co.uk/art.php?art=49):

'90% of office workers at Waterloo Station gave away their computer password for a cheap pen, compared with 65%last year.'

The report goes on to say: 'The most common password was "password" (12%) and the most popular category was their own name (16%) followed by their football team (11%) and date of birth (8%).'

Finally, 'Men were slightly more likely to reveal their password with 95% of men and 85% of women giving away their password.'

Cracking passwords, Gromit!

There are a number of methods by which a password for a computer can be obtained or otherwise cracked.

Social engineering

The social engineering approach goes straight to the weakest link in your security: the human behind the keyboard.

Techniques used include:

Persuading the user to disclose their login credentials (ID and password). We have seen this in the recent PayPal and online banking scam emails, with the perpetrators pretending to be from 'security' or 'the helpdesk' and needing to confirm 'your' password and login ID.

Key loggers.

Trojans, including RATs and backdoors.

Guessing

If you know someone quite well – for example a friend or a close work colleague – and they do not follow good password rules, then it is very likely that you would be able to guess their password within a dozen guesses, possibly fewer.

Dictionary attack

This could be as simple as having a list of a few dozen words or many, many thousands of possible passwords and trying each of them.

Brute force

This is the most intensive method; it involves simply trying every possible combination of letters, numbers and in some cases punctuation and other ASCII characters until the correct password is found.

Typically it would start at a, then try aa, then aaa and so on, until either it runs out of combinations to try or finds the right combination, to crack your 'Pa5Sw0rD'.

The main problem with this technique is that it tends to be computationally expensive, and most users would realise that their system was running more slowly than usual.

Sniffing and session hijacking

Both of these methods use tools to perform 'electronic eavesdropping'. Session hijacking tools allow the attacker to steal your credentials as they are sent to the remote system. This can be used to allow the attacker to impersonate you and gain access to the system you were trying to log into or, more often, to modify data in transit between you and the intended recipient.

Packet sniffing tools and protocol decoders are easily used and very effective, especially those that have been written to 'decode' password data. Both sniffing and session hijacking normally require your traffic to pass through a system on the same subnet as the 'sniffer'.

Good password guide

Below are some basic, but generally sound, guidelines for improving the quality and strength of your passwords.

(T) = This (i) = is (a) = a (S)= story (!) = not (2) = to (B) = be (m1st) = missed.

Other useful guides on selecting good passwords can be found at the following:

http://www.alw.nih.gov/Security/Docs/passwd.html

http://www.securitystats.com/tools/password.asp

http://www.securityfocus.com/infocus/1537/.

Risky business

So, how can you attempt to redress the current balance of power that seems to be in the malware authors', and end-users' hands?

Here are a few suggestions – and these are not just for the Windows users out there:

Remove or rename the default Administrator account.

Disable the Guest account.

Use the PASSFILT.DLL program on Windows NT/2K and XP, as this will not allow poor passwords to be used (for instructions see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/passfiltdll.asp).

On *NIX systems, use a replacement PASSWD binary that will not allow passwords that are weak or that can be guessed easily. Examples include Epasswd (see http://www.nas.nasa.gov/Groups/Security/epasswd/), Npasswd (seehttp://www.uts.cc.texas.edu/~clyde/npasswd/) or Passwd+ (Passwd+ ftp://ftp.dartmouth.edu/put/security/)

Just like us, passwords need regular breaks in order to be at their most effective – with this in mind, change them regularly, and do not re-use them.

Other options

Instead of relying on passwords, why not consider the following technologies – some of these effectively replace, or seriously augment password-based systems, thereby making it harder for the malware authors and easier on the end-users without sacrificing the keys to your kingdom:

biometrics

smartcards

tokens.

Yes, there is a cost associated with the use of these, but will not using such technology end up costing you more?

What's next?

Oh, I hate to crystal ball gaze, both because it can put ideas into the heads of those on the other side and because it often proves to be wide of the mark ... but here goes!

I imagine we will see:

Malware that uses 'brute-force' password cracking methods to defeat 'stronger' passwords, as well as carrying other nasty payloads.

Malware that uses social engineering to obtain the users' passwords and logon IDs by spoofing a website and email headers, in much the same way as the recent PayPal and bank scams.

Conclusions

In the future we will see increasing numbers of new malicious programs that will take advantage of the 'human element'. Social engineering and weak passwords will be the key areas here.

As stated previously, it is the human element that presents the biggest risk to computer security. You can now tell your staff it's official (see http://nl1.vnunet.com/News/1136127 and http://news.com.com/); 'You are the weakest link ... in security.' This is something many of us knew already, but were too polite to mention – especially to <insert your favourite weakest link here>!

When a daily sports paper compares a national soccer crisis with the spread of an Internet worm, you know that the worm has had an enormous impact on everyday life. In March 2004, Gabor Szappanos tracked the rise of W32/Mydoom.

This paper analyses one of the most interesting anti-analysis native libraries we’ve seen in the Android ecosystem. No previous references to this library have been found.The anti-analysis library is named ‘WeddingCake’ because it has lots of layers.

When it comes to the descriptive study of digital adversaries, we’ve proven far less than poets. Currently, our understanding is stated in binary terms: ‘is the actor sophisticated or not?’. Juan Andres Guerrero-Saade puts forward his views on how we…

It has never been easier to attack Office vulnerabilities than it is nowadays. In this paper Gabor Szappanos looks more deeply into the dramatic changes that have happened in the past 12 months in the Office exploit scene.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.